Efficient Cryptographic Protocols Based on Noisy Channels

Efficient Cryptographic Protocols Based on Noisy Channels Claude Crdpeau * Dkpartement d’hformatique et R.O., Universitk de Montrkal, C.P. 6128, succursale centre-ville, Montrkal (QuCbec), Canada H3C 3J7 e-mail: crepeauoii-o.umontreal.ca.

Abstract. The Wire-Tap Channel of Wyner [19] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a crypt,ographic scenario of two honest people facing an eavesdropper. Later CrCpeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires f l ( n ” ) bits to be transmitted through the BSC to accomplish a single OT. The current paper provides efficient protocols to achieve the cryptographic primitives of Bit Commitment and Oblivious Transfer based on the existence of a Binary Symmetric Channel. Our protocols respectively require sending O(n) and O ( n 3 )bits through the BSC. These results are based on a technique known as Generalized Privacy Amplification [l] that allow two people to extract secret information from partially compromised data.

1

Introduction

The cryptographic power of a noisy channel has been demonstrated by Wyner [19] who showed that two honest parties, say A and 8,can exchange a secret key on which an eavesdropper & may obtain only a small fraction of the information as long as A and B are connected by a Binary Symmetric Channel of better quality than a similar Channel connecting them to 1.More recently, a result of Bennett, Brassard, Crkpeau and Maurer 111 provides a technique called Generalized Privacy Amplification to ensure that E’s information is an arbitrary small fraction of a bit under the same conditions. But cryptogra,phy is no longer interested solely in protecting communications. As a result of public-key cryptography, a large number of other cryptographic tasks have emerged. Examples of such tasks are Coin-flipping by telephone [3] and Mental Poker. These may involve two or more parties, some of which may be dishonest. The general concept of Distributed Function Evaluation was first introduced by Yao [20] and later extended t o “Mental Games” by Goldreich, Micali and Wigderson [la].

* Supported in part by Qukbec’s FCAR and Canada’s NSERC.

W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 306-317, 1997. 0Spnnger-VerlagBerlin Heidelberg 1997

307

Distributed Function Evaluation and Mental Games are multi-party algorithms which involve secret data that the parties want to keep from one another. In the model where we are ready to accept computational assumptions, such general tasks can be achieved from basic assumptions such as the existence of a One-way Trapdoor Function [la]. The lesson derived in the computational model is that very simple protocols are sufficient to achieve the general ones. The two primitives known as Bit Commitment (defined in Section 3) and Oblivious Transfer (defined in Section 4) are elementary protocols that are sufficient in general to accomplish any Mental Games, even in a non-computational scenario [14, 81. The current paper considers a scenario where only two people, A and B,are involved and where we put no limitation on their computing power. If we made no further assumption, it would be impossible t o accomplish Mental Games. Thus, the extra assumption we make is that A and B are connected by a Binary Symmetric Channel (BS,), that is a channel that will change the value of a bit b with probability E as it travels from one party to the other. A first protocol to accomplish Oblivious Transfer from a Noisy Channel was presented in [9]. Unfortunately, that protocol is quite complex and requires Q ( n l l )bits sent through the BSC to perform a single Oblivious Transfer, where n is a security parameter that specifies the reliability of the protocol. As a consequence, any two-party computations may be performed from the assumption that there exists a reliable BSC. The current solution is by far more efficient than those suggested earlier. The current paper provides a protocol for Bit Commitment that uses O ( n ) times the BS, and a protocol for Oblivious Transfer that uses O(n3)times that primitive, where n is a security parameter that specifies the probabilities of failure of the protocols. These probabilities are all exponentially small in n.

2 2.1

General Tools Error Channel

We consider a standard error model: the binary symmetric channel. In the binary symmetric channel A sends a bit to B that is flipped with probability t

BSc(x) =

5 with prob. E x with prob. 1 - t .

By extension, we also write BS,(w) as a shorthand for B S , ( W ~ ) B S ~ (... W BZ S f)( w n ) when w = W ~ W... Z wn is an n-bit word. Let H(c) = -tIgc - (1 - t) lg(1 - c) he the binary entropy function. We define the channel capacity of the BS, t o be C, 1 - H ( t ) . A nice property of the binary symmetric channel is that it is totally symmetrical between the participants: if B wants to send a bit z via BS,(x) to A when it is only available from A to B,they can do as follows:

308

Protocol 2.1 (

BS,(x)

)

1: A picks P' ER {0,1} and runs BS,(r) with B who gets r', 2: 8 announces y t z 6,r ' t,o A, 3: A returns y @ r . In general, for the binary symmetric channel, any protocol may be inverted Therefore the protocols of by permuting A and B and replacing BS, by E,. sections 3 and 4 may be achieved from a noisy channel running either way. This is not the case w i t h all charinels. The following is an example of the opposite type. An alternative t o the binary symmetric channel would have been to consider the erasure channel where bits are either received without errors, or cornpletly lost with probalities 1 - t and E . However this situation has been previously analyzed since the erasure channel is the same as Rabin's Oblivious Transfer [16]. Protocols for Wit Commitment and (:)-OT using Rabin's O.T. are available in [14] and [7]. 2.2

Coding theory

An [ n ,k ,dj linear code C is a linear subspace of (0, l}n of dimension k (and cardinality 2 k ) such that no two words c1, c2 from C are such that d ~ ( , ca) q < d, except if c1 = c2, where d H ( Z , y) is the Hamming distance between z and y: the number of positions where lhey differ. Such a code is defined as the linear combinations of the rows of a generating matrix G of dimension k x n. Alternatively, C m a y be defined as the kernel of a parity check matrix H of dimension 72. x ( n - k ) . Knowledge of G or H is coniputationally equivalent as it is easy to get one from the other. For section 3 we need the well known fact, [15, chap. 17, prob. (30)] that t,here exists a constant p > 1 such that a random binary matrix G of size Kn x n defines a binary linear code with minimal distance at least En, except with probability not grealer than p ( R - C c ) " , for values of R < C,. For section 4 we need codes that are efficiently decodable with high correction rate and high dimension. For this purpose we use concatenated codes defined in [ll]t'hat are efficiently encoded and decoded. Asymptot,ically,very long [ n ,Rn, d] concatenated codes may be constructed in such a way that for every t > 0 there exists a constant p > 1 such that the codes fail to correct tn errors except; wit,h probability not greater than p(R-Cc)", for values of R < CF (although the minimum distance d ma,y be somewhat smaller than m ) .Please consult [Ill for more information on asymptotic performances of concatenated codes. In some situations the information transmitted is not a codeword. In such a case, as long as the syndrome syn(w) = H T w of a word w is known the decoding algorithm may be used t o recover w from a noisy version of that word and the value of syn(w). Please consult [15] for more inforniatiori on coding theory.

309

2.3

Generalized Privacy Amplification

Let W be a random variable uniformly distributed over (0, l}nand let BS,(W) be another random variable obtained from W through a binary symmetric channel of error rate t , i.e. Prob [BS,(W) IvlW = w]= (1 - ~ ) n - d H ( w ~ u ) ~ d H ( w ~ " ) , Let G be a random variable taking values g : {0,1}" + {0,1}' uniformly distributed from a ,universal2 class of hash functions [6]. It is shown in [l] that Theorem 1. For any 6

> 0 and all suficiently large n , for s = n ( H ( 6 )- 6) - r

H(G(W)(BSc(W),G)2 r -

2-$ ~

2

'

Moreover, according to [2, 5, 11 for the special case where we have a linear function syn : (0, I}" -+ (0, Theorem2. For any (T E ( 0 , l}tl6 > 0 and all sufficiently large n , for s = n(H(c) - 6 ) - r 2t-3

H ( G ( W ) l s p ( W )= U , BS,(W), G) 2 T - In2 ' Since H ( G (W )Isyn(W) = CT, BS,(W), G) = r means that no information about G ( W ) is given by syn(W) = a , B S , ( W ) , G , the above result is exponentially close to the best possible: the latter contains almost no information about G ( W ) .

3

Bit Commitment

Assume that a party, A, has a bit b in mind, to which she would like to be committed toward another party, t?. That is, A wishes, through a procedure BC(b), to provide f? with a piece of evidence w that she has a bit b in mind and that she cannot change it (binding). Meanwhile, B should not be able to tell from that evidence what b is (concealing).At a later time, A can reveal, through an unveiling procedure UN(b,p),the value of b and prove through p to B that the piece of evidence sent earlier (2u) really corresponded to that bit. Bit commitment schemes have several applications in the field of cryptographic protocols. In particular one can implement zero-knowledge proofs of a variety of statements using bit commitment schemes [13, 41. The first implementations of bit commitment schemes were given in a computational complexity scenario [3]. Unfortunately, proofs of their (computational) security have always required an unproven assumption since otherwise they would imply very strong results such as P # NP. This section is inspired by that work of [5] to achieve Bit Commitment in the model of Quantum Cryptography.

31 0

3.1

Bit Commitment from Binary Symmetric Channel

Intuition behind Protocols BC & UN After establishing a proper errorcorrecting code, A sends a codeword from that code to B through the BS,. The code is such that B should have many candidates for A’s codeword after seeing it through the BS,. The secret bit of A is given by applying a random function from a universal2 class to the codeword. To unveil her bit, A discloses her codeword. She should not be able to announce two codewords that R will find close enough to the word he received to believe her. Formal Protocol Let E be the error probability of the channel, and y < 1 be a positive number. Let 6 > 0 be such that H ( E )- 6 > H(yc) and such that (H(E)- S)n is an integer. The following protocols work for any value o f t such that 0 < E < 1/2, in contrast to the protocols of Section 4.

Protocol 3.1 ( BC(b) ) 1: B chooses and announces Lo A a binary linear [ n ,k,d]-code C with parameters k = (1 - H(e) + 6)” and d 2 yen.

2: A -

picks a random n-bit string m and announces it to B, picks a random codeword c E C such that c m = b, n

- DO runs SS,(cl) with B who receives c : , e= 1

- returns c , b. 3: B sets c’ t (tic: . . .c’,) and returns ( C , m ,c’).

B keeps c’ secret forever, whereas A keeps b and c secret until (and if) unveiling takes place. If A subsequently decides to unveil her commitment, she initiates the next protocol with B. There exists a positive number X < y( 1/2 - c)/2 such that an honest A is likely t o satisfy the following with overwhelming probability while a dishonest A is unable t o open the commitment as both bits with overwhelming probability.

Protocol 3.2 ( UN(c,b ) , (C, rn,c’) ) 1: if ( c E c) A ( b = c om)A (dH(c,c’) < m + An) t h en B accepts else 8 rejects.

Details of the Protocol In the above Protocol BC we ask L? to choose a code with specific parameters. The effect of these parameters on the security of the protocol explain why we require l? to do this job and not A: the bigger (d is, the more unlikely it is for A to cheat and the bigger k is, the more unlikely it is

311

for I3 to cheat. Coding theory give us limits on how big d and k can be at the same time. In order to have them as large as possible at the same time, the best construction known to this day is t o pick the generating matrix of the code at random. Nevertheless, in this case the value of k is easy to figure out from the matrix (the rank of the matrix) while the exact value of d is more difficult to determine. All we know is that it is likely to be high. As discussed in Sect. 2.2, a random binary matrix G of size Rn x n defines a binary linear code with minimal distance at least en except with probability p ( R - C e ) n , thus I3 has an exponentially small probability of having d too small when he picks a k x n matrix at random. A can easily verify t h a t the value of k is correct. The random vector m is used to define a Privacy Amplification Function of ( 0 , l ) ” to ( 0 , l ) .

3.2

Analysis of the Protocol

Concealing Let C and M be the random variables describing a’s possibilities for c and m.Before c is sent through the BSC, C is uniformly distributed among all the possible codewords of C and M among all possible whit strings. Let 0 < 6’ < 6. We are in the scenario of Theorem 2 with r = 1, t = (H(c) - d)n, and s = (H(c)-d’)n-l. We therefore conclude that seeing a codeword c through a BSC and learning m is not enough to know much about c 0m: Theorem 3. For any all sufliciently large n, q( 6’

- 6 )n+1

H ( C 0M l s y n ( C ) =

Binding An honest A sends a random codeword c through - the channel. Consider the random variable d ~ ( cBS,(c)). , Tt is clear that E ( d ~ ( c , B s , ( c )= ) )cn and by Bernstein’s law of large numbers [17, Chap. VII, Sect. 4, Theorem 21 Prob [ d ~ ( cBS,(c)) , > m + An] is exponentially small in n for all A sufficiently small, and all sufficiently large n. A dishonest A sends any word w through the channel and later would like to claim co or c1 to unveil as 0 or 1. One of these, say c , , is such t,hat d H ( c , , w ) > ycn/2. Consider the random variable d ~ ( c , BS,(w)). , It is easy to calculate that E ( d ~ ( c ,BS,(w))) , 2c n + y ( l / 2 - ~ ) n and by Bernstein’s law of large numbers Prob [ d (cz, ~ BS,(w)) < en + y(1/2 - 6 ) . - An] is exponentially small in n for all X sufficiently small, and all sufficiently large n. Thus any X < y( l / 2 - c ) / 2 will satisfy our requirements that an honest A succeeds except with probability exponentially small in n , while a dishonest A succeeds to open both ways only with probability exponentially small in n.

312

4

Oblivious Transfer

One-out-of-two Oblivious Transfer, denoted (Y)-OT, is a primitive that originates with [18] (under the label of “multiplexing”). According t o this primitive, one party d owns two secret strings wo and 201, and another party B wants to learn w, for a secret bit c of his choice. A is willing to collaborate provided that t? does not learn any information about w E ,but t? will only participate if A cannot obtain information about c. Similarly, in an Oblivious Transfer [16], A sends a message to B that is received with probability E (this fact is out of their control) while the message is otherwise lost. A does not find out what happened. t? knows if he got the message or nothing. We note this protocol OT,. Independently from [lS] but inspired by [16], (?)-OT was introduced subsequently in [lo] with applications to contract signing protocols. These two simple cryptographic tools have been extensively studied by several researchers because they turned out to be elementary blocks to build more elaborate cryptographic tasks known as (‘secure computations”. This idea introduced by Yao [20] allows A and B t o compute a two-argument function on data they would like to keep secret from one another. They find out the output of the function but not their respective inputs. It was shown in a computational model that One-out-of-two Oblivious Transfer suffices to perform general secure computations by Goldreich, Micali and Wigderson [12] and later in an abstract (not necessarily computational) model by Kilian [14]. Cripeau showed [7] that indeed Rabin’s Oblivious Transfer can also do the job by describing a general technique to turn an Oblivious Transfer into a One-out-of-two Oblivious Transfer. The result of the current section is an extension of that technique.

4.1 Oblivious Transfer from B i n a r y S y m m e t r i c Channel Basic Idea For E > 1/2, simulate OT,(b) with protocol O^T,(b) obtained by sending b twice through the BSC of error probability ’p = and then reduce (:)POT to O^Tc(b)with a Protocol similar to that of [7].

Protocol 4.1 ( CTE(b)) 1: A runs BS,+,(b)BS,(b)with f? who receives bobl, for cp = *. 2: if bo = bl then B returns bo else B returns E .

The problems with this approach are that 6?,(b) makes errors and that A can send bad pairs bb: if A is honest and sends bb through the binary symmetric channel then 2 4 1 - p) if z = E

31 3

B receives a bit with probability c = ‘p2 + (1 - (p)’. If instead A is dishonest and sends 6b or b6 through the binary symmetric channel then the probability that B receives a bit is 1 - E = 2 4 1 - p). If no extra checks are performed, A could send bad pairs and figure out in Protocol 4.2 which set is good and which set is bod by the fact that good pairs are more likely to have been received. The errors are first solved (in Protocol 4.2) by the same trick as in [2] using codes to fix them, while the cheating by A is later taken care of (in Protocol 4.3) by running statistics on the frequency of bb pairs. Protocol 4.2 introduces another kind of cheating A could perform that is also solved in Protocol 4.3. Intuition behind Protocol (:)-o^T For this first protocol we assume A behaves honestly and will remove this assumption in the final protocol. The idea of the first protocol is that A sends 2n random bits T I ~ 2 ...) ) rzn to Busing OT,. B should receive roughly 2cn of these and lose 2(1- c)n. B forms two sets 1 0 , 1 1 of size n and thus defines two strings T:, , ri, of size n (T’ restricted to 10 and 1 1 ) . String TI, should be entirely known by B , while string should be partially unknown by B. Nevertheless, because OT, is imperfect, we expect an average of (c + 6)n, d] correcting r < n errors. 4: A - computes and sends SO t syn(r1,) and s1 t syra(rr,), - picks and sends a ranAdomn-bit word m, - computes and sends bo t 4 @ (m @ r l o ) and 6 1 t bl @ ( m 0 r ~ ~ ) . 5 : fJ - recovers rIc using r i c , 3, and the decoding algorithm of C, ~

computes and returns

iC @ (m @ TI=).

314

(:)-o^T

Details and discussion of Protocol The code used for this protocol requires the extra property that it must be efficiently decodable. This can be done by using concatenated codes. For cp < 0.1982 the conditions of Step 3 can be satisfied. Therefore, contrary to Protocol BC, this new protocol works only for reliable enough channels BS, (not for all p). B is unable to cheat this protocol because whatever way he splits the ‘(good” bits (r: # E ) between I o , I l , he will not be able to put more (c S /2 ) n good bits in at least one of 10 or 11.Since k > ( E S)n then s y n ( ~ ~ syn(rrl) ~ ) , each contain n - lc bits of information, i.e. no more than (1 - E - S / 2 ) n bits. Thus, at least one of the two words T I , , rIl will be undetermined by at least dn/2 = n-(l+d)n/2-(1/2--d)n bits. Using privacy amplification, this word will contain an exponentially small amount of information about its related bit. Therefore, K? cannot learn both of A’s bits. Unfortunately, A can cheat this protocol in two different ways that allow her to figure out B’s secret input c: at Step 2 A can send (‘bad” pairs rifi or Firi instead of riri increasing the probability that it is lost ( r : = E ) by 8 and at Step 4 she can send a “bad” syndrome leading B to a decoding error. In the first cheat, “bad” pairs are more likely to end up in the ‘(bad” set thus indicating to A which one is more likely to be the “good” and (‘bad” sets. In the second cheat, if A makes only one syndrome bad then U might have to abort depending on which bit he is trying to get. Protocol 4.3 solves these two problems.

+

+

Intuition behind Protocol (;)-OT The general idea of this new protocol is to repeat Protocol (;)-OT several times for random he,o,he,l and ce and combine these instances in such a way t o pxvent A’s cheating as above. More precisely, Protocol (?)-OT is repeated n2 times. We combine the n2 instances of (;)-OT in such a way that A must cheat in each instance if she wants to discover the value of c . Protocol o^T is used a total of 2n3 times. In order to obtain information A must send at least n2 bad pairs in these protocols. This will make a statistical difference that will he detected with probability almost 1. If A uses less than n2 bad pairs, she f i g s out nothing about c. Similarly, if A sends bad syndromes in protocol (f)-OT with probability 1/2 she will be detected by l3 because he reads according to a random choice. If she uses O ( n ) such syndromes it is almost certain that B will detect her cheating. Let n be an odd number. The instances are combined by requesting that h

n2

be,o @ be,l = bo @ b l for 1 5 t

e=i n2

n2

5 n 2 . Let bo,o = @be,o and bo,l = @ b e , l . These e=i

0.1.

requirements cause that @be,c, = bo,= for z = Thus in order to find out e=i e=i which of bo,o or bo,l B is trying to get, A must find out all the c ~ .

Full Protocol Let y be a number grea.ter than 1 and n be an odd2umber. An extra index l is added to each variable of the lthiteration of (X)-OT.

315

Protocol 4.3 ( (:)-OT(bo, b , ) ( c ) )

1: A picks

n2 random bits bl,o, bz,o, ...,bn2,0 and sets

be,, t bo

@ bl @ b r . 0 , for

c 5 n2.

15

2: 8 picks n2 random bits c l , c z , ...,c , ~ . na

3: DO 1= 1

1. A runs (;)-6?'(bl,o,

b r , l ) ( c e ) with

8 who gets b6,

2 . if dH(r[,rt,=!, r i , l t , c t )> r